by Source Defense
Even with the PCI DSS 4.0 deadline now behind us, many organizations are still exposed to costly eSkimming threats and compliance gaps. Source Defense recently hosted a webinar to explore how compliance actually drives better business outcomes – as seen through the lens of the positive bottom line impacts of implementing PCI DSS eSkimming Security Controls.
Understanding the eSkimming Threat Landscape
The evolution of payment security has followed a predictable path. When the EMV liability shift made physical card fraud more difficult in 2015, cybercriminals shifted their focus to the e-commerce channel. This led to the emergence of Magecart attacks (synonymous with eSkimming) in 2016, targeting data at the point of input—as consumers enter their information into web forms.
Today, the threat has reached alarming proportions. According to the latest research shared during the session, a staggering 269 million cards were compromised in 2024, with the vast majority coming from Card Not Present environments. There were 11,000 identified unique e-commerce domains impacted by eSkimming infections last year—a 300% increase from 2023.
The JavaScript Vulnerability at the Heart of the Problem
The fundamental issue lies in how modern websites are built. JavaScript powers 98% of websites worldwide, with an average of 18 scripts per page—a 50% increase in just two years. More concerning, research from Source Defense and Verizon’s 2024 Payment Security Report shows that 40% of these scripts run directly on payment pages.
These scripts, often provided by third-party vendors, lack any inherent security model within the browser. Each script—regardless of its source—has the same level of access and capabilities on your website:
- They can capture keystrokes as users enter sensitive information
- They can modify page content and add form fields
- They can redirect visitors to other websites
- They can read and transfer data entered into forms
This unrestricted access creates a significant security gap that cybercriminals actively exploit, with Visa repeatedly warning that “the targeting of e-commerce platforms and third-party code integrations are among the most common tactics utilized by threat actors.”
The Business Value of eSkimming Security
While PCI DSS 4.0 requirements 6.4.3 and 11.6.1 mandate protection against these threats, the business benefits extend far beyond mere compliance.
Reducing Shopping Cart Abandonment
Abandoned shopping carts represent $18 billion in lost revenue annually. Nearly 20% of consumers abandon purchases because they don’t trust websites with their credit card information. By implementing proper eSkimming security, organizations can:
- Display PCI compliance badges that build consumer trust
- Prevent the site errors and crashes that drive away 7% of potential customers
- Ensure smooth checkout experiences by eliminating malicious interference
Preventing Fraud and Protecting Brand Reputation
The financial impact of data breaches extends well beyond immediate remediation costs:
- Credit card fraud costs $32 billion annually, with merchants paying $3.75 for every $1 of fraud
- 48% of consumers believe merchants are responsible for protecting their data
- Up to 70% of customers say they won’t return to a business after a data breach
By preventing the theft of payment data through eSkimming attacks, organizations not only protect their customers but also reduce the pool of compromised cards that can be used for downstream fraud.
Enabling Critical Business Tools
Marketing and e-commerce teams depend on third-party tools to enhance customer experiences and drive conversions. Rather than restricting these tools, proper eSkimming security enables their safe implementation, becoming a business enabler rather than a roadblock.
The Reality of Modern eSkimming Attacks
Recent investigations highlight that eSkimming attacks are not limited to payment pages. In February 2025, Source Defense documented an attack where:
- Compromised scripts created perfect visual replicas of legitimate payment pages
- Attackers even validated credit card information using the Stripe API before stealing it
- The original checkout flow was maintained, making the attack virtually invisible to users
This sophisticated approach bypasses traditional security measures and underscores why comprehensive, site-wide protection is essential rather than focusing solely on payment pages or iframes.
Moving Forward: Practical Steps
Despite recent changes to the PCI DSS SAQ-A eligibility criteria causing some confusion in the industry, the need for eSkimming protection remains clear. Organizations should:
- Assess their current posture: Understand how many third-party scripts are running across your website and what data they can access.
- Recognize the limitations of DIY approaches: Content Security Policy (CSP) and Subresource Integrity (SRI) have significant limitations when dealing with dynamic scripts and are often bypassed by sophisticated attacks.
- Implement prevention-first security: Rather than relying on detection alone, organizations should deploy solutions that automatically prevent unauthorized script behaviors.
- Consider enterprise-wide impact: Beyond PCI compliance, solutions like Source Defense can also address concerns related to HIPAA, GDPR, and other privacy regulations.
Conclusion
Defending against eSkimming is no longer optional—it’s an essential component of any comprehensive security strategy. By implementing proper eSkimming security, organizations can not only achieve compliance but also protect their revenue, enhance customer trust, and enable their digital teams to innovate safely.
The financial impact of shopping cart abandonment, fraud losses, and reputational damage far outweighs the investment in proper security controls. With eSkimming attacks becoming increasingly sophisticated and prevalent, the time to act is now.
Ready to protect your organization from eSkimming threats? Contact Source Defense today for a free risk assessment and discover how our patented technology can secure your digital front door.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
